LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Invalid packet messages in dmesg on Slackware64 14 (http://www.linuxquestions.org/questions/slackware-14/invalid-packet-messages-in-dmesg-on-slackware64-14-a-4175434829/)

raphaeldavidf 10-30-2012 08:05 PM

Invalid packet messages in dmesg on Slackware64 14
 
Hey guys,

for a while now I've noticed this messages in my dmesg output:


Code:

[ 2780.795888] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.177 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=65392 PROTO=TCP SPT=443 DPT=44817 WINDOW=0 RES=0x00 RST URGP=0
[ 3142.305954] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=28080 DF PROTO=TCP SPT=80 DPT=38955 WINDOW=0 RES=0x00 ACK RST URGP=0
[ 3255.536373] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=13768 DF PROTO=TCP SPT=80 DPT=38953 WINDOW=0 RES=0x00 ACK RST URGP=0
[ 3363.902825] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=9579 DF PROTO=TCP SPT=80 DPT=38952 WINDOW=0 RES=0x00 ACK RST URGP=0
[ 3511.905695] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=199.47.217.177 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=41920 WINDOW=0 RES=0x00 RST URGP=0
[ 4660.165956] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.185 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=9516 PROTO=TCP SPT=443 DPT=57088 WINDOW=0 RES=0x00 RST URGP=0
[ 4660.170552] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.185 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=9517 PROTO=TCP SPT=443 DPT=57088 WINDOW=0 RES=0x00 RST URGP=0
[ 4976.340183] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=173.194.34.79 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=3662 PROTO=TCP SPT=443 DPT=44741 WINDOW=0 RES=0x00 RST URGP=0
[ 5343.291404] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.161 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=18881 PROTO=TCP SPT=443 DPT=41007 WINDOW=0 RES=0x00 RST URGP=0

what does it mean? Is some wrong configuration?

Thanks

Habitual 10-30-2012 08:38 PM

Code:

173.194.34.79 is GOOGLE
199.47.217.177 is DROPBOX
69.63.190.74 is TFBNET2
74.125.234.161 is GOOGLE
74.125.234.177 is GOOGLE
74.125.234.185 is GOOGLE

Try
Code:

grep -iw wlan0 /var/log/*
and look for another clue. :)

raphaeldavidf 10-30-2012 09:59 PM

1 Attachment(s)
with
Code:

grep -iw wlan0 /var/log/*
the only strange thing that I found was this

Code:

/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613646] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=36708 DPT=6771 LEN=127
/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613737] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=6771 DPT=6771 LEN=127
/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613781] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=6771 DPT=6771 LEN=127

But I still don't have a clue...
the output is attached (the complete output was 6 MB so i edited to leave only newer messages).

bormant 10-31-2012 07:02 AM

You can see your firewall settings, somewhere will be "-j LOG --log-prefix="INPUT packet died: ". These messages generated with that firewall rule.

dive 10-31-2012 09:57 AM

Yeah logging firewall rules is something for the masochists among us ;)

tobyl 10-31-2012 02:41 PM

You can use an online whois to lookup destination ip addresses as Habitual probably did for you

you can google port numbers (or look at /etc/services) to get an idea what service is using that port

6771 is often used by a p2p service called transmission, perhaps someone on your lan is using this?
If you have run a p2p app recently, and you have quit the application, peers will still try to connect for a while and your firewall will reject them. One of those 3 lines has a TTL of one, and all have a local ip of 192.168.88.199 - this sounds like local broadcast traffic

one of my favourites is (as root)
Quote:

netstat -pantu
this will tell you what services you have running and which ports they are using
Quote:

lsof -i
gives similar info

you should be able to match this info with your log output to help you see what is going on on your network.

tobyl

raphaeldavidf 10-31-2012 02:45 PM

Thanks guys for all the replies. As soon as I get home I'll try them out. =D

raphaeldavidf 11-01-2012 05:24 PM

Thanks bormant and all the others for the help, it was this
Code:

-j LOG --log-prefix="INPUT packet died: "
in my firewall rules. The problem was solved when I removed this.

unSpawn 11-01-2012 09:12 PM

Quote:

Originally Posted by raphaeldavidf (Post 4820037)
The problem was solved when I removed this.

The first batch was tagged "Invalid packet:", marking packets containing a RST flag, which differs from the second batch as they carry no clue at all wrt reasons for filtering. So IMHO the only thing removing that log target or firewall rule accomplished was stop logging instead of making you aware why that rule was there in the first place...


All times are GMT -5. The time now is 07:45 PM.